Close Open Privacy Scan
App Privacy Score
Low risk · 1197 finding(s)
Dependency score: 22 (High risk)
bar_chart Score Breakdown
list Scan Summary
swap_horiz Application data flows
No application data flows were found. See dependency data flows below.
hub Dependency data flows (111)
pkgs/npm/[email protected]/src/realtime/realtime-session.ts:110 → pkgs/npm/[email protected]/src/realtime/realtime-session.ts:110pkgs/npm/[email protected]/auth/workload-identity-auth.js:46 → pkgs/npm/[email protected]/auth/workload-identity-auth.js:53pkgs/npm/[email protected]/auth/workload-identity-auth.mjs:42 → pkgs/npm/[email protected]/auth/workload-identity-auth.mjs:49pkgs/npm/[email protected]/src/auth/workload-identity-auth.ts:60 → pkgs/npm/[email protected]/src/auth/workload-identity-auth.ts:69pkgs/npm/@[email protected]/lib/credentials/oidc-federation.js:39 → pkgs/npm/@[email protected]/lib/credentials/oidc-federation.js:42pkgs/npm/@[email protected]/lib/credentials/oidc-federation.mjs:36 → pkgs/npm/@[email protected]/lib/credentials/oidc-federation.mjs:39pkgs/npm/@[email protected]/lib/credentials/user-oauth.js:91 → pkgs/npm/@[email protected]/lib/credentials/user-oauth.js:94pkgs/npm/@[email protected]/lib/credentials/user-oauth.mjs:55 → pkgs/npm/@[email protected]/lib/credentials/user-oauth.mjs:58pkgs/npm/@[email protected]/src/lib/credentials/oidc-federation.ts:80 → pkgs/npm/@[email protected]/src/lib/credentials/oidc-federation.ts:83pkgs/npm/@[email protected]/src/lib/credentials/user-oauth.ts:92 → pkgs/npm/@[email protected]/src/lib/credentials/user-oauth.ts:95pkgs/npm/@[email protected]/examples/src/async_batch_jobs.ts:3 → pkgs/npm/@[email protected]/examples/src/async_batch_jobs.ts:30pkgs/npm/@[email protected]/examples/src/async_batch_jobs.ts:3 → pkgs/npm/@[email protected]/examples/src/async_batch_jobs.ts:42pkgs/npm/@[email protected]/examples/src/async_batch_jobs.ts:3 → pkgs/npm/@[email protected]/examples/src/async_batch_jobs.ts:45pkgs/npm/@[email protected]/examples/src/async_batch_jobs.ts:3 → pkgs/npm/@[email protected]/examples/src/async_batch_jobs.ts:51pkgs/npm/@[email protected]/examples/src/async_batch_jobs.ts:3 → pkgs/npm/@[email protected]/examples/src/async_batch_jobs.ts:53pkgs/npm/@[email protected]/examples/src/async_batch_jobs.ts:3 → pkgs/npm/@[email protected]/examples/src/async_batch_jobs.ts:59pkgs/npm/@[email protected]/examples/src/async_chat_no_streaming.ts:3 → pkgs/npm/@[email protected]/examples/src/async_chat_no_streaming.ts:15pkgs/npm/@[email protected]/examples/src/async_chat_prediction.ts:3 → pkgs/npm/@[email protected]/examples/src/async_chat_prediction.ts:33pkgs/npm/@[email protected]/examples/src/async_chat_with_image_no_streaming.ts:3 → pkgs/npm/@[email protected]/examples/src/async_chat_with_image_no_streaming.ts:27pkgs/npm/@[email protected]/examples/src/async_embeddings.ts:3 → pkgs/npm/@[email protected]/examples/src/async_embeddings.ts:20pkgs/npm/@[email protected]/examples/src/async_files.ts:6 → pkgs/npm/@[email protected]/examples/src/async_files.ts:24pkgs/npm/@[email protected]/examples/src/async_files.ts:6 → pkgs/npm/@[email protected]/examples/src/async_files.ts:28pkgs/npm/@[email protected]/examples/src/async_files.ts:6 → pkgs/npm/@[email protected]/examples/src/async_files.ts:32pkgs/npm/@[email protected]/examples/src/async_files.ts:6 → pkgs/npm/@[email protected]/examples/src/async_files.ts:36pkgs/npm/@[email protected]/examples/src/async_function_calling.ts:4 → pkgs/npm/@[email protected]/examples/src/async_function_calling.ts:127pkgs/npm/@[email protected]/examples/src/async_function_calling.ts:4 → pkgs/npm/@[email protected]/examples/src/async_function_calling.ts:128pkgs/npm/@[email protected]/examples/src/async_function_calling.ts:4 → pkgs/npm/@[email protected]/examples/src/async_function_calling.ts:147pkgs/npm/@[email protected]/examples/src/async_function_calling_streaming.ts:3 → pkgs/npm/@[email protected]/examples/src/async_function_calling_streaming.ts:150pkgs/npm/@[email protected]/examples/src/async_function_calling_streaming.ts:3 → pkgs/npm/@[email protected]/examples/src/async_function_calling_streaming.ts:151pkgs/npm/@[email protected]/examples/src/async_json_format.ts:3 → pkgs/npm/@[email protected]/examples/src/async_json_format.ts:16pkgs/npm/@[email protected]/examples/src/async_ocr_process_from_file.ts:6 → pkgs/npm/@[email protected]/examples/src/async_ocr_process_from_file.ts:33pkgs/npm/@[email protected]/examples/src/async_ocr_process_from_url.ts:3 → pkgs/npm/@[email protected]/examples/src/async_ocr_process_from_url.ts:15pkgs/npm/@[email protected]/examples/src/async_structured_outputs.ts:4 → pkgs/npm/@[email protected]/examples/src/async_structured_outputs.ts:52pkgs/npm/@[email protected]/examples/src/async_structured_outputs.ts:4 → pkgs/npm/@[email protected]/examples/src/async_structured_outputs.ts:70pkgs/npm/@[email protected]/examples/src/azure/async_chat_no_streaming.ts:3 → pkgs/npm/@[email protected]/examples/src/azure/async_chat_no_streaming.ts:27pkgs/npm/@[email protected]/examples/src/prompt_lifecycle.ts:3 → pkgs/npm/@[email protected]/examples/src/prompt_lifecycle.ts:23pkgs/npm/@[email protected]/examples/src/prompt_lifecycle.ts:3 → pkgs/npm/@[email protected]/examples/src/prompt_lifecycle.ts:38pkgs/npm/@[email protected]/examples/src/realtime_microphone.ts:107 → pkgs/npm/@[email protected]/examples/src/realtime_microphone.ts:153pkgs/npm/@[email protected]/examples/src/realtime_transcription.ts:162 → pkgs/npm/@[email protected]/examples/src/realtime_transcription.ts:213pkgs/npm/@[email protected]/examples/src/reasoning.ts:3 → pkgs/npm/@[email protected]/examples/src/reasoning.ts:35pkgs/npm/@[email protected]/examples/src/reasoning.ts:3 → pkgs/npm/@[email protected]/examples/src/reasoning.ts:42pkgs/npm/@[email protected]/examples/src/reasoning.ts:3 → pkgs/npm/@[email protected]/examples/src/reasoning.ts:47pkgs/npm/@[email protected]/examples/src/reasoning_multi_turn.ts:14 → pkgs/npm/@[email protected]/examples/src/reasoning_multi_turn.ts:61pkgs/npm/@[email protected]/examples/src/reasoning_multi_turn.ts:14 → pkgs/npm/@[email protected]/examples/src/reasoning_multi_turn.ts:74pkgs/npm/@[email protected]/examples/src/reasoning_response_shape.ts:7 → pkgs/npm/@[email protected]/examples/src/reasoning_response_shape.ts:30pkgs/npm/@[email protected]/examples/src/reasoning_response_shape.ts:7 → pkgs/npm/@[email protected]/examples/src/reasoning_response_shape.ts:32pkgs/npm/@[email protected]/examples/src/skill_lifecycle.ts:3 → pkgs/npm/@[email protected]/examples/src/skill_lifecycle.ts:30pkgs/npm/@[email protected]/examples/src/skill_lifecycle.ts:3 → pkgs/npm/@[email protected]/examples/src/skill_lifecycle.ts:47pkgs/npm/@[email protected]/examples/src/skill_lifecycle.ts:3 → pkgs/npm/@[email protected]/examples/src/skill_lifecycle.ts:50pkgs/npm/@[email protected]/packages/mistralai-azure/examples/chatComplete.example.ts:18 → pkgs/npm/@[email protected]/packages/mistralai-azure/examples/chatComplete.example.ts:35pkgs/npm/@[email protected]__reposrc/samples/api_version.js:26 → pkgs/npm/@[email protected]__reposrc/samples/api_version.js:33pkgs/npm/@[email protected]__reposrc/samples/cache.js:34 → pkgs/npm/@[email protected]__reposrc/samples/cache.js:58pkgs/npm/@[email protected]__reposrc/samples/cache.js:34 → pkgs/npm/@[email protected]__reposrc/samples/cache.js:65pkgs/npm/@[email protected]__reposrc/samples/cache.js:114 → pkgs/npm/@[email protected]__reposrc/samples/cache.js:134pkgs/npm/@[email protected]__reposrc/samples/cache.js:114 → pkgs/npm/@[email protected]__reposrc/samples/cache.js:138pkgs/npm/@[email protected]__reposrc/samples/cache.js:114 → pkgs/npm/@[email protected]__reposrc/samples/cache.js:151pkgs/npm/@[email protected]__reposrc/samples/cache.js:192 → pkgs/npm/@[email protected]__reposrc/samples/cache.js:216pkgs/npm/@[email protected]__reposrc/samples/cache.js:225 → pkgs/npm/@[email protected]__reposrc/samples/cache.js:251pkgs/npm/@[email protected]__reposrc/samples/cache.js:261 → pkgs/npm/@[email protected]__reposrc/samples/cache.js:284pkgs/npm/@[email protected]__reposrc/samples/cache.js:261 → pkgs/npm/@[email protected]__reposrc/samples/cache.js:291pkgs/npm/@[email protected]__reposrc/samples/chat.js:30 → pkgs/npm/@[email protected]__reposrc/samples/chat.js:45pkgs/npm/@[email protected]__reposrc/samples/chat.js:30 → pkgs/npm/@[email protected]__reposrc/samples/chat.js:47pkgs/npm/@[email protected]__reposrc/samples/code_execution.js:24 → pkgs/npm/@[email protected]__reposrc/samples/code_execution.js:36pkgs/npm/@[email protected]__reposrc/samples/code_execution.js:44 → pkgs/npm/@[email protected]__reposrc/samples/code_execution.js:66pkgs/npm/@[email protected]__reposrc/samples/code_execution.js:74 → pkgs/npm/@[email protected]__reposrc/samples/code_execution.js:87pkgs/npm/@[email protected]__reposrc/samples/controlled_generation.js:27 → pkgs/npm/@[email protected]__reposrc/samples/controlled_generation.js:56pkgs/npm/@[email protected]__reposrc/samples/controlled_generation.js:64 → pkgs/npm/@[email protected]__reposrc/samples/controlled_generation.js:76pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:35 → pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:45pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:35 → pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:55pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:65 → pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:86pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:65 → pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:96pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:106 → pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:132pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:106 → pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:140pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:151 → pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:178pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:151 → pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:186pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:198 → pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:242pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:198 → pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:250pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:264 → pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:302pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:264 → pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:311pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:327 → pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:335pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:327 → pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:349pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:358 → pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:368pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:358 → pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:388pkgs/npm/@[email protected]__reposrc/samples/embed.js:24 → pkgs/npm/@[email protected]__reposrc/samples/embed.js:31pkgs/npm/@[email protected]__reposrc/samples/embed.js:39 → pkgs/npm/@[email protected]__reposrc/samples/embed.js:56pkgs/npm/@[email protected]__reposrc/samples/files.js:31 → pkgs/npm/@[email protected]__reposrc/samples/files.js:41pkgs/npm/@[email protected]__reposrc/samples/files.js:31 → pkgs/npm/@[email protected]__reposrc/samples/files.js:69pkgs/npm/@[email protected]__reposrc/samples/files.js:78 → pkgs/npm/@[email protected]__reposrc/samples/files.js:102pkgs/npm/@[email protected]__reposrc/samples/files.js:78 → pkgs/npm/@[email protected]__reposrc/samples/files.js:117pkgs/npm/@[email protected]__reposrc/samples/files.js:126 → pkgs/npm/@[email protected]__reposrc/samples/files.js:133pkgs/npm/@[email protected]__reposrc/samples/files.js:126 → pkgs/npm/@[email protected]__reposrc/samples/files.js:161pkgs/npm/@[email protected]__reposrc/samples/files.js:170 → pkgs/npm/@[email protected]__reposrc/samples/files.js:194pkgs/npm/@[email protected]__reposrc/samples/files.js:170 → pkgs/npm/@[email protected]__reposrc/samples/files.js:209pkgs/npm/@[email protected]__reposrc/samples/files.js:222 → pkgs/npm/@[email protected]__reposrc/samples/files.js:239pkgs/npm/@[email protected]__reposrc/samples/files.js:220 → pkgs/npm/@[email protected]__reposrc/samples/files.js:267pkgs/npm/@[email protected]__reposrc/samples/files.js:275 → pkgs/npm/@[email protected]__reposrc/samples/files.js:281pkgs/npm/@[email protected]__reposrc/samples/files.js:290 → pkgs/npm/@[email protected]__reposrc/samples/files.js:304pkgs/npm/@[email protected]__reposrc/samples/files.js:314 → pkgs/npm/@[email protected]__reposrc/samples/files.js:327pkgs/npm/@[email protected]__reposrc/samples/function_calling.js:61 → pkgs/npm/@[email protected]__reposrc/samples/function_calling.js:93pkgs/npm/@[email protected]__reposrc/samples/log_prob.js:24 → pkgs/npm/@[email protected]__reposrc/samples/log_prob.js:37pkgs/npm/@[email protected]__reposrc/samples/model_configuration.js:24 → pkgs/npm/@[email protected]__reposrc/samples/model_configuration.js:38pkgs/npm/@[email protected]__reposrc/samples/safety_settings.js:28 → pkgs/npm/@[email protected]__reposrc/samples/safety_settings.js:50pkgs/npm/@[email protected]__reposrc/samples/safety_settings.js:59 → pkgs/npm/@[email protected]__reposrc/samples/safety_settings.js:85pkgs/npm/@[email protected]__reposrc/samples/search_grounding.js:31 → pkgs/npm/@[email protected]__reposrc/samples/search_grounding.js:50pkgs/npm/@[email protected]__reposrc/samples/search_grounding.js:61 → pkgs/npm/@[email protected]__reposrc/samples/search_grounding.js:75pkgs/npm/@[email protected]__reposrc/samples/system_instruction.js:24 → pkgs/npm/@[email protected]__reposrc/samples/system_instruction.js:35pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:31 → pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:37pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:64 → pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:84pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:125 → pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:149pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:194 → pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:214pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:223 → pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:255</> First-Party Code
first-party (npm)
npm first-partyexpand_more 49 low-confidence finding(s)
const response = await fetch(url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
process.env.NEXT_PUBLIC_SUPABASE_URL!,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NEXT_PUBLIC_SUPABASE_URL!,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.EDGE_CONFIG) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env[name]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NEXT_PUBLIC_SUPABASE_URL!,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.SUPABASE_SERVICE_ROLE_KEY!
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await fetch(fullUrl, requestInit)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await fetch(fullUrl, {
method: "GET",
headers: headers
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
process.env.NEXT_PUBLIC_SUPABASE_URL!,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.SUPABASE_SERVICE_ROLE_KEY!
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NEXT_PUBLIC_SUPABASE_URL!,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.SUPABASE_SERVICE_ROLE_KEY!
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NEXT_PUBLIC_SUPABASE_URL!,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.SUPABASE_SERVICE_ROLE_KEY!
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NEXT_PUBLIC_SUPABASE_URL!,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.SUPABASE_SERVICE_ROLE_KEY!
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NEXT_PUBLIC_SUPABASE_URL!,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.SUPABASE_SERVICE_ROLE_KEY!
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NEXT_PUBLIC_OLLAMA_URL + "/api/chat",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await fetch(url, {
method: "POST",
body: JSON.stringify(body),
signal: controller.signal
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await fetch(url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await fetch(url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await fetch(url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
fetch(dataURL)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
if (process.env.NEXT_PUBLIC_OLLAMA_URL) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await fetch(workspaceImageUrl)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
!!process.env.NEXT_PUBLIC_OPENAI_ORGANIZATION_ID
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await fetch(url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
process.env.NEXT_PUBLIC_USER_FILE_SIZE_LIMIT || "10000000"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return Boolean(process.env[type])
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await fetch(
process.env.NEXT_PUBLIC_OLLAMA_URL + "/api/tags"
)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
process.env.NEXT_PUBLIC_OLLAMA_URL + "/api/tags"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await fetch("https://openrouter.ai/api/v1/models")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
process.env.NEXT_PUBLIC_SUPABASE_URL!,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env[envKey]) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
;(profile as any)[profileKey] = process.env[envKey]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NEXT_PUBLIC_SUPABASE_URL!,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NEXT_PUBLIC_SUPABASE_URL!,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NEXT_PUBLIC_SUPABASE_URL!,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NEXT_PUBLIC_SUPABASE_URL!,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
enabled: process.env.ANALYZE === "true"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): __tests__/playwright-test
npm first-partyexpand_more 3 low-confidence finding(s)
forbidOnly: !!process.env.CI,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
retries: process.env.CI ? 2 : 0,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
workers: process.env.CI ? 1 : undefined,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
</> Dependencies
@google/generative-ai
npm dependency console.log(result.response.text());
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(cacheResult);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.response.text());
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`\n\nmodel: ${result.response.text()}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`\n\nmodel: ${result.response.text()}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`\n\nmodel: ${result.response.text()}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(cacheGetResult);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(item);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log("initial cache data:", cacheResult);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log("updated cache data:", cacheUpdateResult);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.response.text());
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.response.text());
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.response.text());
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.response.text());
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.response.text());
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.response.text());
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.response.text());
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(countResult.totalTokens); // 11
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(generateResult.response.usageMetadata);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(countResult.totalTokens); // 10
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(chatResult.response.usageMetadata);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(countResult.totalTokens); // 265
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(generateResult.response.usageMetadata);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(countResult.totalTokens); // 265
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(generateResult.response.usageMetadata);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(countResult.totalTokens); // 302
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(generateResult.response.usageMetadata);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.totalTokens); // 10
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(generateResult.response.usageMetadata);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(resultNoInstructions);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(resultWithInstructions);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(resultNoTools);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(resultWithTools);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.embedding);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.embeddings);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(
`Uploaded file ${uploadResult.file.displayName} as: ${uploadResult.file.uri}`,
);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.response.text());
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(
`Uploaded file ${uploadResult.file.displayName} as: ${uploadResult.file.uri}`,
);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.response.text());
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(
`Uploaded file ${uploadResult.file.displayName} as: ${uploadResult.file.uri}`,
);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.response.text());
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(
`Uploaded file ${uploadResult.file.displayName} as: ${uploadResult.file.uri}`,
);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.response.text());
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(
`Uploaded file ${uploadResponse.file.displayName} as: ${uploadResponse.file.uri}`,
);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.response.text());
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`name: ${file.name} | display name: ${file.displayName}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(
`Retrieved file ${getResponse.displayName} as ${getResponse.uri}`,
);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`Deleted ${uploadResult.file.displayName}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result2.response.text());
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.response.candidates[0].logprobsResult);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.response.text());
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.response.candidates[0].safetyRatings);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.response.candidates[0].safetyRatings);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.response.candidates[0].groundingMetadata);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.response.candidates[0].groundingMetadata);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.response.text());
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.response.text());
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.response.text());
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.response.text());
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.response.text());
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
expand_more 156 low-confidence finding(s)
const pkg = JSON.parse(fs.readFileSync(path.join(__dirname, "package.json")));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const cacheManager = new GoogleAICacheManager(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileManager = new GoogleAIFileManager(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const cacheManager = new GoogleAICacheManager(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileManager = new GoogleAIFileManager(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const cacheManager = new GoogleAICacheManager(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileManager = new GoogleAIFileManager(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const cacheManager = new GoogleAICacheManager(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileManager = new GoogleAIFileManager(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const cacheManager = new GoogleAICacheManager(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileManager = new GoogleAIFileManager(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const cacheManager = new GoogleAICacheManager(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileManager = new GoogleAIFileManager(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const cacheManager = new GoogleAICacheManager(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileManager = new GoogleAIFileManager(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
data: Buffer.from(fs.readFileSync(`${mediaPath}/jetpack.jpg`)).toString("base64"),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
data: Buffer.from(fs.readFileSync(path)).toString("base64"),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileManager = new GoogleAIFileManager(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileManager = new GoogleAIFileManager(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileManager = new GoogleAIFileManager(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const cacheManager = new GoogleAICacheManager(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileManager = new GoogleAIFileManager(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileManager = new GoogleAIFileManager(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileManager = new GoogleAIFileManager(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileManager = new GoogleAIFileManager(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileManager = new GoogleAIFileManager(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileManager = new GoogleAIFileManager(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileManager = new GoogleAIFileManager(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileManager = new GoogleAIFileManager(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
data: Buffer.from(fs.readFileSync(path)).toString("base64"),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
data: Buffer.from(fs.readFileSync(path)).toString("base64"),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
data: Buffer.from(fs.readFileSync(path)).toString("base64"),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
data: Buffer.from(fs.readFileSync(path)).toString("base64"),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
data: Buffer.from(fs.readFileSync(path)).toString("base64"),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileManager = new GoogleAIFileManager(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileManager = new GoogleAIFileManager(process.env.API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const file = fs.readFileSync(join(samplesDir, filename), "utf-8");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const typings = fs.readFileSync(filePath, "utf-8");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const file = fs.readFileSync(join(samplesDir, filename), "utf-8");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(join(samplesDir, filename), newFileLines.join("\n"));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const API_KEY = process.env.API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const data = fs.readFileSync(sanitizedPath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const licenseHeader = fs.readFileSync(
join(__dirname, "./license.txt"),
"utf-8",
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContents = paths.map((path) => fs.readFileSync(path, "utf-8"));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return fs.writeFileSync(path, result, "utf-8");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFile } from "fs/promises";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileBuffer = await readFile("./test-utils/cat.png");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileBuffer = await readFile("./test-utils/cat.png");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileBuffer = await readFile("./test-utils/cat.png");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileBuffer = await readFile("./test-utils/cat.png");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync } from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const file = fileData instanceof Buffer ? fileData : readFileSync(fileData);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GEMINI_API_KEY,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileManager = new GoogleAIFileManager(process.env.GEMINI_API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileManager = new GoogleAIFileManager(process.env.GEMINI_API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileManager = new GoogleAIFileManager(process.env.GEMINI_API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileManager = new GoogleAIFileManager(process.env.GEMINI_API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GEMINI_API_KEY || "",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GEMINI_API_KEY || "",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GEMINI_API_KEY || "",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GEMINI_API_KEY || "",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GEMINI_API_KEY || "",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GEMINI_API_KEY || "",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const imageBuffer = fs.readFileSync(
join(__dirname, "../../test-utils/cat.png"),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fullText = fs.readFileSync(join(mockResponseDir, filename), "utf-8");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fullText = fs.readFileSync(join(mockResponseDir, filename), "utf-8");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
<script>window.process = { env: { GEMINI_API_KEY: "${process.env.GEMINI_API_KEY}" } }</script>
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
@mistralai/mistralai
npm dependencyconsole.log(`Created job with ID: ${job.id}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`Job status: ${job.status}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`Job is done, status ${job.status}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(response.body);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(output);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`Error file ID: ${job.errorFile}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log("Chat:", chatResponse);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(chatResponse.choices[0]?.message.content);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log("JSON:", chatResponse.choices[0].message.content);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log("Embeddings Batch:", embeddingsBatchResponse.data);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(createdFile);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(files);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(retrievedFile);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(deletedFile);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`calling functionName: ${functionName}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`functionParams: ${toolCall.function.arguments}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(response.choices[0].message.content);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`calling functionName: ${functionName}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`functionParams: ${toolCall.function.arguments}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log("Chat:", chatResponse.choices[0].message.content);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log("OCR ", ocrResponse);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log("OCR:", ocrResponse);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log("\n", parsedAccumulatedStream);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log("\n", chatResponse.choices[0].message.parsed);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log("Success", chatResult);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`created prompt ${promptId} (v${prompt.version})`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`production -> v${live.version}: ${live.definition?.content}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.error(`\nTranscription error: ${errorMessage}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.error(`Transcription error: ${errorMessage}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(content);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(inner.text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(chunk.text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(
`turn ${i + 1}: prompt=${String(promptTokens).padStart(4)} ` +
`completion=${String(completionTokens).padStart(4)} -> ${finalText(message.content)}`,
);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(
`TOTAL: prompt=${totalPrompt} completion=${totalCompletion} ` +
`(sum ${totalPrompt + totalCompletion})`,
);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`typeof content = ${Array.isArray(content) ? "Array" : typeof content}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(JSON.stringify(content, null, 2));
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(
`created skill ${skillId} (v${skill.version}), assets: ${Object.keys(
skill.definition?.assets ?? {},
)}`,
);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`published v${version.version}, moved 'main' to it`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(
`main -> v${runnable.version}: ${runnable.definition?.description}`,
);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
expand_more 59 low-confidence finding(s)
return this.wrappedClient.request(request);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return await this.wrappedClient.request(request);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return await observability.runWithContext(activeContext, () => this.wrappedClient.request(request));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return fetch(input);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return fetch(input, init);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let response = await this.#httpClient.request(req);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const blob = new Blob([fs.readFileSync(filePath)], {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const blob = new Blob([fs.readFileSync(filePath)], {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env.MISTRAL_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const uploaded_file = fs.readFileSync(filePath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env.MISTRAL_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const azureAPIKey = process.env["AZURE_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const azureEndpoint = process.env["AZURE_ENDPOINT"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const projectId = process.env["GOOGLE_PROJECT_ID"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
default: process.env["MISTRAL_API_KEY"],
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
default: process.env["MISTRAL_BASE_URL"] ?? "wss://api.mistral.ai",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = args.apiKey ?? process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
default: process.env["MISTRAL_API_KEY"],
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
default: process.env["MISTRAL_BASE_URL"] ?? "https://api.mistral.ai",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = args.apiKey ?? process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
apiKey: process.env["MISTRAL_API_KEY"] ?? "",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return fetch(input);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return fetch(input, init);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let response = await this.#httpClient.request(req);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return fetch(input);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return fetch(input, init);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let response = await this.#httpClient.request(req);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this.wrappedClient.request(request);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return await this.wrappedClient.request(request);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
() => this.wrappedClient.request(request)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return fetch(input);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return fetch(input, init);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let response = await this.#httpClient.request(req);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
@anthropic-ai/sdk
npm dependency resp = await config.fetch(url, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'anthropic-beta': `${types_1.OAUTH_API_BETA_HEADER},${types_1.FEDERATION_BETA_HEADER}`,
'User-Agent': config.userAgent || `anthropic-sdk-typescript/${version_1.VERSION} oidcFederationProvider`,
},
body: JSON.stringify(body),
});
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
resp = await config.fetch(url, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'anthropic-beta': `${OAUTH_API_BETA_HEADER},${FEDERATION_BETA_HEADER}`,
'User-Agent': config.userAgent || `anthropic-sdk-typescript/${VERSION} oidcFederationProvider`,
},
body: JSON.stringify(body),
});
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
resp = await config.fetch(url, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'anthropic-beta': types_1.OAUTH_API_BETA_HEADER,
'User-Agent': config.userAgent || `anthropic-sdk-typescript/${version_1.VERSION} userOAuthProvider`,
},
body: JSON.stringify(body),
});
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
resp = await config.fetch(url, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'anthropic-beta': OAUTH_API_BETA_HEADER,
'User-Agent': config.userAgent || `anthropic-sdk-typescript/${VERSION} userOAuthProvider`,
},
body: JSON.stringify(body),
});
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
resp = await config.fetch(url, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'anthropic-beta': `${OAUTH_API_BETA_HEADER},${FEDERATION_BETA_HEADER}`,
'User-Agent': config.userAgent || `anthropic-sdk-typescript/${VERSION} oidcFederationProvider`,
},
body: JSON.stringify(body),
});
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
resp = await config.fetch(url, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'anthropic-beta': OAUTH_API_BETA_HEADER,
'User-Agent': config.userAgent || `anthropic-sdk-typescript/${VERSION} userOAuthProvider`,
},
body: JSON.stringify(body),
});
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
expand_more 266 low-confidence finding(s)
configRaw = await fs.promises.readFile(configPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
raw = await fs.promises.readFile(credentialsPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return (await fs.promises.readFile(filePath, 'utf-8')).trim() || 'default';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
configRaw = await fs.promises.readFile(configPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
raw = await fs.promises.readFile(credentialsPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return (await fs.promises.readFile(filePath, 'utf-8')).trim() || 'default';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.promises.readFile(credentialsPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.promises.readFile(credentialsPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await fs.promises.readFile(path, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await fs.promises.readFile(path, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fh.writeFile(JSON.stringify(data, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fh.writeFile(JSON.stringify(data, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
raw = await fs.promises.readFile(config.credentialsPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
raw = await fs.promises.readFile(config.credentialsPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return this._client.get((0, path_1.path) `/v1/agents/${agentID}?beta=true`, {
query,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/agents/${agentID}?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/agents/${agentID}/archive?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/agents/${agentID}?beta=true`, {
query,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/agents/${agentID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/agents/${agentID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/deployment_runs/${deploymentRunID}?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/deployment_runs/${deploymentRunID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/deployments/${deploymentID}?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/deployments/${deploymentID}?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/deployments/${deploymentID}/archive?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/deployments/${deploymentID}/pause?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/deployments/${deploymentID}/run?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/deployments/${deploymentID}/unpause?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/deployments/${deploymentID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/deployments/${deploymentID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/deployments/${deploymentID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/deployments/${deploymentID}/pause?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/deployments/${deploymentID}/run?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/deployments/${deploymentID}/unpause?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/dreams/${dreamID}?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'dreaming-2026-04-21'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/dreams/${dreamID}/archive?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'dreaming-2026-04-21'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/dreams/${dreamID}/cancel?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'dreaming-2026-04-21'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/dreams/${dreamID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'dreaming-2026-04-21'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/dreams/${dreamID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'dreaming-2026-04-21'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/dreams/${dreamID}/cancel?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'dreaming-2026-04-21'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/environments/${environmentID}?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/environments/${environmentID}?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/environments/${environmentID}/archive?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/environments/${environmentID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/environments/${environmentID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/environments/${environmentID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/environments/${environment_id}/work/${workID}?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/environments/${environment_id}/work/${workID}?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/environments/${environment_id}/work/${workID}/ack?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/environments/${environment_id}/work/${workID}/heartbeat?beta=true`, {
query: { desired_ttl_seconds, expected_last_heartbeat },
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/environments/${environmentID}/work/poll?beta=true`, {
query,
...options,
headers: (0, headers_1.buildHeaders)([
{
'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString(),
...(anthropicWorkerID != null ? { 'Anthropic-Worker-ID': anthropicWorkerID } : undefined),
},
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/environments/${environmentID}/work/stats?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/environments/${environment_id}/work/${workID}/stop?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/environments/${environment_id}/work/${workID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/environments/${environment_id}/work/${workID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/environments/${environment_id}/work/${workID}/ack?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/environments/${environment_id}/work/${workID}/heartbeat?beta=true`, {
query: { desired_ttl_seconds, expected_last_heartbeat },
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/environments/${environmentID}/work/poll?beta=true`, {
query,
...options,
headers: buildHeaders([
{
'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString(),
...(anthropicWorkerID != null ? { 'Anthropic-Worker-ID': anthropicWorkerID } : undefined),
},
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/environments/${environmentID}/work/stats?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/environments/${environment_id}/work/${workID}/stop?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/files/${fileID}/content?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{
'anthropic-beta': [...(betas ?? []), 'files-api-2025-04-14'].toString(),
Accept: 'application/binary',
},
options?.headers,
]),
__binaryResponse: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/files/${fileID}?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'files-api-2025-04-14'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/files/${fileID}/content?beta=true`, {
...options,
headers: buildHeaders([
{
'anthropic-beta': [...(betas ?? []), 'files-api-2025-04-14'].toString(),
Accept: 'application/binary',
},
options?.headers,
]),
__binaryResponse: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/files/${fileID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'files-api-2025-04-14'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/memory_stores/${memoryStoreID}/memories?beta=true`, {
query: { view },
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/memory_stores/${memory_store_id}/memories/${memoryID}?beta=true`, {
query,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/memory_stores/${memory_store_id}/memories/${memoryID}?beta=true`, {
query: { view },
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/memory_stores/${memoryStoreID}/memories?beta=true`, {
query: { view },
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/memory_stores/${memory_store_id}/memories/${memoryID}?beta=true`, {
query,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/memory_stores/${memory_store_id}/memories/${memoryID}?beta=true`, {
query: { view },
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/memory_stores/${memoryStoreID}?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/memory_stores/${memoryStoreID}?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/memory_stores/${memoryStoreID}/archive?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/memory_stores/${memoryStoreID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/memory_stores/${memoryStoreID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/memory_stores/${memoryStoreID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/memory_stores/${memory_store_id}/memory_versions/${memoryVersionID}?beta=true`, {
query,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/memory_stores/${memory_store_id}/memory_versions/${memoryVersionID}/redact?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/memory_stores/${memory_store_id}/memory_versions/${memoryVersionID}?beta=true`, {
query,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/memory_stores/${memory_store_id}/memory_versions/${memoryVersionID}/redact?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/messages/batches/${messageBatchID}?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'message-batches-2024-09-24'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/messages/batches/${messageBatchID}/cancel?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'message-batches-2024-09-24'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client
.get(batch.results_url, {
...options,
headers: (0, headers_1.buildHeaders)([
{
'anthropic-beta': [...(betas ?? []), 'message-batches-2024-09-24'].toString(),
Accept: 'application/binary',
},
options?.headers,
]),
stream: true,
__binaryResponse: true,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/messages/batches/${messageBatchID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'message-batches-2024-09-24'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/messages/batches/${messageBatchID}/cancel?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'message-batches-2024-09-24'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client
.get(batch.results_url, {
...options,
headers: buildHeaders([
{
'anthropic-beta': [...(betas ?? []), 'message-batches-2024-09-24'].toString(),
Accept: 'application/binary',
},
options?.headers,
]),
stream: true,
__binaryResponse: true,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/models/${modelID}?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ ...(betas?.toString() != null ? { 'anthropic-beta': betas?.toString() } : undefined) },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/models/${modelID}?beta=true`, {
...options,
headers: buildHeaders([
{ ...(betas?.toString() != null ? { 'anthropic-beta': betas?.toString() } : undefined) },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/sessions/${sessionID}/events?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/sessions/${sessionID}/events/stream?beta=true`, {
query,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
stream: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/sessions/${sessionID}/events?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/sessions/${sessionID}/events/stream?beta=true`, {
query,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
stream: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/sessions/${session_id}/resources/${resourceID}?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/sessions/${session_id}/resources/${resourceID}?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/sessions/${sessionID}/resources?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/sessions/${session_id}/resources/${resourceID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/sessions/${session_id}/resources/${resourceID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/sessions/${sessionID}/resources?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/sessions/${sessionID}?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/sessions/${sessionID}?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/sessions/${sessionID}/archive?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/sessions/${sessionID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/sessions/${sessionID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/sessions/${sessionID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/sessions/${session_id}/threads/${threadID}/stream?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
stream: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/sessions/${session_id}/threads/${threadID}/stream?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
stream: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/sessions/${session_id}/threads/${threadID}?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/sessions/${session_id}/threads/${threadID}/archive?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/sessions/${session_id}/threads/${threadID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/sessions/${session_id}/threads/${threadID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/skills/${skillID}?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'skills-2025-10-02'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/skills/${skillID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'skills-2025-10-02'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/skills/${skillID}/versions?beta=true`, (0, uploads_1.multipartFormRequestOptions)({
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'skills-2025-10-02'].toString() },
options?.headers,
]),
}, this._client, false));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/skills/${skill_id}/versions/${version}?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'skills-2025-10-02'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/skills/${skill_id}/versions/${version}/content?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{
'anthropic-beta': [...(betas ?? []), 'skills-2025-10-02'].toString(),
Accept: 'application/binary',
},
options?.headers,
]),
__binaryResponse: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/skills/${skillID}/versions?beta=true`, multipartFormRequestOptions({
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'skills-2025-10-02'].toString() },
options?.headers,
]),
}, this._client, false));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/skills/${skill_id}/versions/${version}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'skills-2025-10-02'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/skills/${skill_id}/versions/${version}/content?beta=true`, {
...options,
headers: buildHeaders([
{
'anthropic-beta': [...(betas ?? []), 'skills-2025-10-02'].toString(),
Accept: 'application/binary',
},
options?.headers,
]),
__binaryResponse: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/tunnels/${tunnelID}/certificates?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/tunnels/${tunnel_id}/certificates/${certificateID}?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/tunnels/${tunnel_id}/certificates/${certificateID}/archive?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/tunnels/${tunnelID}/certificates?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/tunnels/${tunnel_id}/certificates/${certificateID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/tunnels/${tunnel_id}/certificates/${certificateID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/tunnels/${tunnelID}?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/tunnels/${tunnelID}/archive?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/tunnels/${tunnelID}/reveal_token?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/tunnels/${tunnelID}/rotate_token?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/tunnels/${tunnelID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/tunnels/${tunnelID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/tunnels/${tunnelID}/reveal_token?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/tunnels/${tunnelID}/rotate_token?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/user_profiles/${userProfileID}?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'user-profiles-2026-03-24'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/user_profiles/${userProfileID}?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'user-profiles-2026-03-24'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/user_profiles/${userProfileID}/enrollment_url?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'user-profiles-2026-03-24'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/user_profiles/${userProfileID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'user-profiles-2026-03-24'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/user_profiles/${userProfileID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'user-profiles-2026-03-24'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/user_profiles/${userProfileID}/enrollment_url?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'user-profiles-2026-03-24'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/vaults/${vaultID}/credentials?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/vaults/${vault_id}/credentials/${credentialID}?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/vaults/${vault_id}/credentials/${credentialID}?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/vaults/${vault_id}/credentials/${credentialID}/archive?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/vaults/${vault_id}/credentials/${credentialID}/mcp_oauth_validate?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/vaults/${vaultID}/credentials?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/vaults/${vault_id}/credentials/${credentialID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/vaults/${vault_id}/credentials/${credentialID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/vaults/${vault_id}/credentials/${credentialID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/vaults/${vault_id}/credentials/${credentialID}/mcp_oauth_validate?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/vaults/${vaultID}?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/vaults/${vaultID}?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/vaults/${vaultID}/archive?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/vaults/${vaultID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/vaults/${vaultID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/vaults/${vaultID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/messages/batches/${messageBatchID}`, options);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/messages/batches/${messageBatchID}/cancel`, options);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client
.get(batch.results_url, {
...options,
headers: (0, headers_1.buildHeaders)([{ Accept: 'application/binary' }, options?.headers]),
stream: true,
__binaryResponse: true,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/messages/batches/${messageBatchID}`, options);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/messages/batches/${messageBatchID}/cancel`, options);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client
.get(batch.results_url, {
...options,
headers: buildHeaders([{ Accept: 'application/binary' }, options?.headers]),
stream: true,
__binaryResponse: true,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/v1/models/${modelID}`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ ...(betas?.toString() != null ? { 'anthropic-beta': betas?.toString() } : undefined) },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/v1/models/${modelID}`, {
...options,
headers: buildHeaders([
{ ...(betas?.toString() != null ? { 'anthropic-beta': betas?.toString() } : undefined) },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
configRaw = await fs.promises.readFile(configPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
raw = await fs.promises.readFile(credentialsPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return (await fs.promises.readFile(filePath, 'utf-8')).trim() || 'default';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.promises.readFile(credentialsPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await fs.promises.readFile(path, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fh.writeFile(JSON.stringify(data, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
raw = await fs.promises.readFile(config.credentialsPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return this._client.get(path`/v1/agents/${agentID}?beta=true`, {
query,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/agents/${agentID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/agents/${agentID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/v1/deployment_runs/${deploymentRunID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/v1/deployments/${deploymentID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/deployments/${deploymentID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/deployments/${deploymentID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/deployments/${deploymentID}/pause?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/deployments/${deploymentID}/run?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/deployments/${deploymentID}/unpause?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/v1/dreams/${dreamID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'dreaming-2026-04-21'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/dreams/${dreamID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'dreaming-2026-04-21'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/dreams/${dreamID}/cancel?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'dreaming-2026-04-21'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/v1/environments/${environmentID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/environments/${environmentID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/environments/${environmentID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/v1/environments/${environment_id}/work/${workID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/environments/${environment_id}/work/${workID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/environments/${environment_id}/work/${workID}/ack?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/environments/${environment_id}/work/${workID}/heartbeat?beta=true`, {
query: { desired_ttl_seconds, expected_last_heartbeat },
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/v1/environments/${environmentID}/work/poll?beta=true`, {
query,
...options,
headers: buildHeaders([
{
'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString(),
...(anthropicWorkerID != null ? { 'Anthropic-Worker-ID': anthropicWorkerID } : undefined),
},
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/v1/environments/${environmentID}/work/stats?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/environments/${environment_id}/work/${workID}/stop?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/v1/files/${fileID}/content?beta=true`, {
...options,
headers: buildHeaders([
{
'anthropic-beta': [...(betas ?? []), 'files-api-2025-04-14'].toString(),
Accept: 'application/binary',
},
options?.headers,
]),
__binaryResponse: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/v1/files/${fileID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'files-api-2025-04-14'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/memory_stores/${memoryStoreID}/memories?beta=true`, {
query: { view },
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/v1/memory_stores/${memory_store_id}/memories/${memoryID}?beta=true`, {
query,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/memory_stores/${memory_store_id}/memories/${memoryID}?beta=true`, {
query: { view },
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/v1/memory_stores/${memoryStoreID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/memory_stores/${memoryStoreID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/memory_stores/${memoryStoreID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(
path`/v1/memory_stores/${memory_store_id}/memory_versions/${memoryVersionID}?beta=true`,
{
query,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
},
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
path`/v1/memory_stores/${memory_store_id}/memory_versions/${memoryVersionID}/redact?beta=true`,
{
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
},
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/v1/messages/batches/${messageBatchID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'message-batches-2024-09-24'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/messages/batches/${messageBatchID}/cancel?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'message-batches-2024-09-24'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client
.get(batch.results_url, {
...options,
headers: buildHeaders([
{
'anthropic-beta': [...(betas ?? []), 'message-batches-2024-09-24'].toString(),
Accept: 'application/binary',
},
options?.headers,
]),
stream: true,
__binaryResponse: true,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/v1/models/${modelID}?beta=true`, {
...options,
headers: buildHeaders([
{ ...(betas?.toString() != null ? { 'anthropic-beta': betas?.toString() } : undefined) },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/sessions/${sessionID}/events?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/v1/sessions/${sessionID}/events/stream?beta=true`, {
query,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
stream: true,
}) as APIPromise<Stream<BetaManagedAgentsStreamSessionEvents>>;
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/v1/sessions/${session_id}/resources/${resourceID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/sessions/${session_id}/resources/${resourceID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/sessions/${sessionID}/resources?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/v1/sessions/${sessionID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/sessions/${sessionID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/sessions/${sessionID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/v1/sessions/${session_id}/threads/${threadID}/stream?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
stream: true,
}) as APIPromise<Stream<ThreadsAPI.BetaManagedAgentsStreamSessionThreadEvents>>;
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/v1/sessions/${session_id}/threads/${threadID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/sessions/${session_id}/threads/${threadID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/v1/skills/${skillID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'skills-2025-10-02'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
path`/v1/skills/${skillID}/versions?beta=true`,
multipartFormRequestOptions(
{
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'skills-2025-10-02'].toString() },
options?.headers,
]),
},
this._client,
false,
),
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/v1/skills/${skill_id}/versions/${version}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'skills-2025-10-02'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/v1/skills/${skill_id}/versions/${version}/content?beta=true`, {
...options,
headers: buildHeaders([
{
'anthropic-beta': [...(betas ?? []), 'skills-2025-10-02'].toString(),
Accept: 'application/binary',
},
options?.headers,
]),
__binaryResponse: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/tunnels/${tunnelID}/certificates?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/v1/tunnels/${tunnel_id}/certificates/${certificateID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/tunnels/${tunnel_id}/certificates/${certificateID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/v1/tunnels/${tunnelID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/tunnels/${tunnelID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/tunnels/${tunnelID}/reveal_token?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/tunnels/${tunnelID}/rotate_token?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/v1/user_profiles/${userProfileID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'user-profiles-2026-03-24'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/user_profiles/${userProfileID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'user-profiles-2026-03-24'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/user_profiles/${userProfileID}/enrollment_url?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'user-profiles-2026-03-24'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/vaults/${vaultID}/credentials?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/v1/vaults/${vault_id}/credentials/${credentialID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/vaults/${vault_id}/credentials/${credentialID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/vaults/${vault_id}/credentials/${credentialID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
path`/v1/vaults/${vault_id}/credentials/${credentialID}/mcp_oauth_validate?beta=true`,
{
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
},
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/v1/vaults/${vaultID}?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/vaults/${vaultID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/vaults/${vaultID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/v1/messages/batches/${messageBatchID}`, options);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/messages/batches/${messageBatchID}/cancel`, options);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client
.get(batch.results_url, {
...options,
headers: buildHeaders([{ Accept: 'application/binary' }, options?.headers]),
stream: true,
__binaryResponse: true,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/v1/models/${modelID}`, {
...options,
headers: buildHeaders([
{ ...(betas?.toString() != null ? { 'anthropic-beta': betas?.toString() } : undefined) },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
await handle.writeFile(content, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
data = await fs.readFile(abs, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
data = await fs.readFile(abs, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const dirs = (process.env['PATH'] ?? '').split(path.delimiter);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await handle.writeFile(content, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await fs.readFile(fullPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await handle.writeFile(command.file_text, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await handle.writeFile(content, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await handle.writeFile(content, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
data = await fs.readFile(abs, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
data = await fs.readFile(abs, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const dirs = (process.env['PATH'] ?? '').split(path.delimiter);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
data = await fs.readFile(abs, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
data = await fs.readFile(abs, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const dirs = (process.env['PATH'] ?? '').split(path.delimiter);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await handle.writeFile(content, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await fs.readFile(fullPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await handle.writeFile(command.file_text, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await handle.writeFile(content, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await fs.readFile(fullPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await handle.writeFile(command.file_text, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
openai
npm dependency const response = await this.fetch(this.tokenExchangeUrl, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify(body),
});
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
const response = await this.fetch(this.tokenExchangeUrl, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify(body),
});
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
const response = await this.fetch(this.tokenExchangeUrl, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify(body),
});
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
expand_more 363 low-confidence finding(s)
const url = new URL(AZURE_IMDS_BASE_URL);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const url = new URL(`http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity`);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const url = new URL(AZURE_IMDS_BASE_URL);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const url = new URL(`http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity`);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
endpoint = process.env['AZURE_OPENAI_ENDPOINT'];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
endpoint = process.env['AZURE_OPENAI_ENDPOINT'];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return this._client.get((0, path_1.path) `/organization/admin_api_keys/${keyID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/organization/admin_api_keys/${keyID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/organization/certificates/${certificateID}`, {
query,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/certificates/${certificateID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/organization/certificates/${certificateID}`, {
query,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/certificates/${certificateID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/organization/groups/${groupID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/groups/${groupID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/organization/groups/${groupID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/groups/${groupID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/groups/${groupID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/organization/groups/${group_id}/roles/${roleID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/groups/${groupID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/organization/groups/${group_id}/roles/${roleID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/groups/${groupID}/users`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/organization/groups/${group_id}/users/${userID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/groups/${groupID}/users`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/organization/groups/${group_id}/users/${userID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/organization/invites/${inviteID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/organization/invites/${inviteID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/organization/projects/${project_id}/api_keys/${apiKeyID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/organization/projects/${project_id}/api_keys/${apiKeyID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/organization/projects/${projectID}/data_retention`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/projects/${projectID}/data_retention`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/organization/projects/${projectID}/data_retention`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/projects/${projectID}/data_retention`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/projects/${projectID}/groups`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/organization/projects/${project_id}/groups/${groupID}`, {
query,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/projects/${projectID}/groups`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/organization/projects/${project_id}/groups/${groupID}`, {
query,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/projects/${project_id}/groups/${groupID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/projects/${project_id}/groups/${group_id}/roles/${roleID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/projects/${project_id}/groups/${groupID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/projects/${project_id}/groups/${group_id}/roles/${roleID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/organization/projects/${projectID}/hosted_tool_permissions`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/projects/${projectID}/hosted_tool_permissions`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/organization/projects/${projectID}/hosted_tool_permissions`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/projects/${projectID}/hosted_tool_permissions`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/organization/projects/${projectID}/model_permissions`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/projects/${projectID}/model_permissions`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/organization/projects/${projectID}/model_permissions`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/projects/${projectID}/model_permissions`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/organization/projects/${projectID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/projects/${projectID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/projects/${projectID}/archive`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/organization/projects/${projectID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/projects/${projectID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/projects/${projectID}/archive`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/projects/${project_id}/rate_limits/${rateLimitID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/projects/${project_id}/rate_limits/${rateLimitID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/projects/${projectID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/projects/${project_id}/roles/${roleID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/projects/${project_id}/roles/${roleID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/projects/${projectID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/projects/${project_id}/roles/${roleID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/projects/${project_id}/roles/${roleID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/projects/${project_id}/service_accounts/${serviceAccountID}/api_keys`, { body, ...options, __security: { adminAPIKeyAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/projects/${project_id}/service_accounts/${serviceAccountID}/api_keys`, { body, ...options, __security: { adminAPIKeyAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/projects/${projectID}/service_accounts`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/organization/projects/${project_id}/service_accounts/${serviceAccountID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/projects/${project_id}/service_accounts/${serviceAccountID}`, { body, ...options, __security: { adminAPIKeyAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/projects/${projectID}/service_accounts`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/organization/projects/${project_id}/service_accounts/${serviceAccountID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/projects/${project_id}/service_accounts/${serviceAccountID}`, { body, ...options, __security: { adminAPIKeyAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/projects/${projectID}/spend_alerts`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/organization/projects/${project_id}/spend_alerts/${alertID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/projects/${project_id}/spend_alerts/${alertID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/projects/${projectID}/spend_alerts`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/organization/projects/${project_id}/spend_alerts/${alertID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/projects/${project_id}/spend_alerts/${alertID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/projects/${project_id}/users/${userID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/projects/${project_id}/users/${user_id}/roles/${roleID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/projects/${project_id}/users/${userID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/projects/${project_id}/users/${user_id}/roles/${roleID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/projects/${projectID}/users`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/organization/projects/${project_id}/users/${userID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/projects/${project_id}/users/${userID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/projects/${projectID}/users`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/organization/projects/${project_id}/users/${userID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/projects/${project_id}/users/${userID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/organization/roles/${roleID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/roles/${roleID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/organization/roles/${roleID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/roles/${roleID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/organization/spend_alerts/${alertID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/spend_alerts/${alertID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/organization/spend_alerts/${alertID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/spend_alerts/${alertID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/users/${userID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/organization/users/${user_id}/roles/${roleID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/users/${userID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/organization/users/${user_id}/roles/${roleID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/organization/users/${userID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/users/${userID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/organization/users/${userID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/users/${userID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/batches/${batchID}`, { ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/batches/${batchID}/cancel`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/batches/${batchID}`, { ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/batches/${batchID}/cancel`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/assistants/${assistantID}`, {
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/assistants/${assistantID}`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/assistants/${assistantID}`, {
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/assistants/${assistantID}`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/chatkit/sessions/${sessionID}/cancel`, {
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'chatkit_beta=v1' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/chatkit/sessions/${sessionID}/cancel`, {
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'chatkit_beta=v1' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/chatkit/threads/${threadID}`, {
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'chatkit_beta=v1' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/chatkit/threads/${threadID}`, {
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'chatkit_beta=v1' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/responses/${responseID}?beta=true`, {
query,
...options,
headers: (0, headers_1.buildHeaders)([
{ ...(betas?.toString() != null ? { 'openai-beta': betas?.toString() } : undefined) },
options?.headers,
]),
stream: params?.stream ?? false,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/responses/${responseID}/cancel?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ ...(betas?.toString() != null ? { 'openai-beta': betas?.toString() } : undefined) },
options?.headers,
]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/responses/${responseID}?beta=true`, {
query,
...options,
headers: buildHeaders([
{ ...(betas?.toString() != null ? { 'openai-beta': betas?.toString() } : undefined) },
options?.headers,
]),
stream: params?.stream ?? false,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/responses/${responseID}/cancel?beta=true`, {
...options,
headers: buildHeaders([
{ ...(betas?.toString() != null ? { 'openai-beta': betas?.toString() } : undefined) },
options?.headers,
]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/threads/${threadID}/messages`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/threads/${thread_id}/messages/${messageID}`, {
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/threads/${thread_id}/messages/${messageID}`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/threads/${threadID}/messages`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/threads/${thread_id}/messages/${messageID}`, {
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/threads/${thread_id}/messages/${messageID}`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/threads/${threadID}/runs`, {
query: { include },
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
stream: params.stream ?? false,
__synthesizeEventData: true,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/threads/${thread_id}/runs/${runID}`, {
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/threads/${thread_id}/runs/${runID}`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/threads/${thread_id}/runs/${runID}/cancel`, {
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/threads/${thread_id}/runs/${runID}/submit_tool_outputs`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
stream: params.stream ?? false,
__synthesizeEventData: true,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/threads/${threadID}/runs`, {
query: { include },
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
stream: params.stream ?? false,
__synthesizeEventData: true,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/threads/${thread_id}/runs/${runID}`, {
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/threads/${thread_id}/runs/${runID}`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/threads/${thread_id}/runs/${runID}/cancel`, {
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/threads/${thread_id}/runs/${runID}/submit_tool_outputs`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
stream: params.stream ?? false,
__synthesizeEventData: true,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/threads/${thread_id}/runs/${run_id}/steps/${stepID}`, {
query,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/threads/${thread_id}/runs/${run_id}/steps/${stepID}`, {
query,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/threads/${threadID}`, {
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/threads/${threadID}`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/threads/${threadID}`, {
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/threads/${threadID}`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/chat/completions/${completionID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/chat/completions/${completionID}`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/chat/completions/${completionID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/chat/completions/${completionID}`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/containers/${containerID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/containers/${containerID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/containers/${container_id}/files/${fileID}/content`, {
...options,
headers: (0, headers_1.buildHeaders)([{ Accept: 'application/binary' }, options?.headers]),
__security: { bearerAuth: true },
__binaryResponse: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/containers/${container_id}/files/${fileID}/content`, {
...options,
headers: buildHeaders([{ Accept: 'application/binary' }, options?.headers]),
__security: { bearerAuth: true },
__binaryResponse: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/containers/${containerID}/files`, (0, uploads_1.maybeMultipartFormRequestOptions)({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/containers/${container_id}/files/${fileID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/containers/${containerID}/files`, maybeMultipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/containers/${container_id}/files/${fileID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/conversations/${conversationID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/conversations/${conversationID}`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/conversations/${conversationID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/conversations/${conversationID}`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/conversations/${conversationID}/items`, {
query: { include },
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/conversations/${conversation_id}/items/${itemID}`, {
query,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/conversations/${conversationID}/items`, {
query: { include },
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/conversations/${conversation_id}/items/${itemID}`, {
query,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/evals/${evalID}`, { ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/evals/${evalID}`, { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/evals/${evalID}`, { ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/evals/${evalID}`, { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/evals/${eval_id}/runs/${run_id}/output_items/${outputItemID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/evals/${eval_id}/runs/${run_id}/output_items/${outputItemID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/evals/${evalID}/runs`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/evals/${eval_id}/runs/${runID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/evals/${eval_id}/runs/${runID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/evals/${evalID}/runs`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/evals/${eval_id}/runs/${runID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/evals/${eval_id}/runs/${runID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/files/${fileID}`, { ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/files/${fileID}/content`, {
...options,
headers: (0, headers_1.buildHeaders)([{ Accept: 'application/binary' }, options?.headers]),
__security: { bearerAuth: true },
__binaryResponse: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/files/${fileID}`, { ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/files/${fileID}/content`, {
...options,
headers: buildHeaders([{ Accept: 'application/binary' }, options?.headers]),
__security: { bearerAuth: true },
__binaryResponse: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/fine_tuning/checkpoints/${fineTunedModelCheckpoint}/permissions`, {
query,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/fine_tuning/checkpoints/${fineTunedModelCheckpoint}/permissions`, {
query,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/fine_tuning/jobs/${fineTuningJobID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/fine_tuning/jobs/${fineTuningJobID}/cancel`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/fine_tuning/jobs/${fineTuningJobID}/pause`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/fine_tuning/jobs/${fineTuningJobID}/resume`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/fine_tuning/jobs/${fineTuningJobID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/fine_tuning/jobs/${fineTuningJobID}/cancel`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/fine_tuning/jobs/${fineTuningJobID}/pause`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/fine_tuning/jobs/${fineTuningJobID}/resume`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/models/${model}`, { ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/models/${model}`, { ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/realtime/calls/${callID}/accept`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ Accept: '*/*' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/realtime/calls/${callID}/hangup`, {
...options,
headers: (0, headers_1.buildHeaders)([{ Accept: '*/*' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/realtime/calls/${callID}/refer`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ Accept: '*/*' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/realtime/calls/${callID}/reject`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ Accept: '*/*' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/realtime/calls/${callID}/accept`, {
body,
...options,
headers: buildHeaders([{ Accept: '*/*' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/realtime/calls/${callID}/hangup`, {
...options,
headers: buildHeaders([{ Accept: '*/*' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/realtime/calls/${callID}/refer`, {
body,
...options,
headers: buildHeaders([{ Accept: '*/*' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/realtime/calls/${callID}/reject`, {
body,
...options,
headers: buildHeaders([{ Accept: '*/*' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/responses/${responseID}`, {
query,
...options,
stream: query?.stream ?? false,
__security: { bearerAuth: true },
})._thenUnwrap((rsp) => {
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/responses/${responseID}/cancel`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/responses/${responseID}`, {
query,
...options,
stream: query?.stream ?? false,
__security: { bearerAuth: true },
})._thenUnwrap((rsp) => {
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/responses/${responseID}/cancel`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/skills/${skillID}/content`, {
...options,
headers: (0, headers_1.buildHeaders)([{ Accept: 'application/binary' }, options?.headers]),
__security: { bearerAuth: true },
__binaryResponse: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/skills/${skillID}/content`, {
...options,
headers: buildHeaders([{ Accept: 'application/binary' }, options?.headers]),
__security: { bearerAuth: true },
__binaryResponse: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/skills/${skillID}`, { ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/skills/${skillID}`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/skills/${skillID}`, { ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/skills/${skillID}`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/skills/${skill_id}/versions/${version}/content`, {
...options,
headers: (0, headers_1.buildHeaders)([{ Accept: 'application/binary' }, options?.headers]),
__security: { bearerAuth: true },
__binaryResponse: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/skills/${skill_id}/versions/${version}/content`, {
...options,
headers: buildHeaders([{ Accept: 'application/binary' }, options?.headers]),
__security: { bearerAuth: true },
__binaryResponse: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/skills/${skillID}/versions`, (0, uploads_1.maybeMultipartFormRequestOptions)({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/skills/${skill_id}/versions/${version}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/skills/${skillID}/versions`, maybeMultipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/skills/${skill_id}/versions/${version}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/uploads/${uploadID}/parts`, (0, uploads_1.multipartFormRequestOptions)({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/uploads/${uploadID}/parts`, multipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/uploads/${uploadID}/cancel`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/uploads/${uploadID}/complete`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/uploads/${uploadID}/cancel`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/uploads/${uploadID}/complete`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/vector_stores/${vectorStoreID}/file_batches`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/vector_stores/${vector_store_id}/file_batches/${batchID}`, {
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/vector_stores/${vector_store_id}/file_batches/${batchID}/cancel`, {
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/vector_stores/${vectorStoreID}/file_batches`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/vector_stores/${vector_store_id}/file_batches/${batchID}`, {
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/vector_stores/${vector_store_id}/file_batches/${batchID}/cancel`, {
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/vector_stores/${vectorStoreID}/files`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/vector_stores/${vector_store_id}/files/${fileID}`, {
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/vector_stores/${vector_store_id}/files/${fileID}`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/vector_stores/${vectorStoreID}/files`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/vector_stores/${vector_store_id}/files/${fileID}`, {
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/vector_stores/${vector_store_id}/files/${fileID}`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/vector_stores/${vectorStoreID}`, {
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/vector_stores/${vectorStoreID}`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/vector_stores/${vectorStoreID}`, {
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/vector_stores/${vectorStoreID}`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/videos/${videoID}`, { ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/videos/${videoID}/content`, {
query,
...options,
headers: (0, headers_1.buildHeaders)([{ Accept: 'application/binary' }, options?.headers]),
__security: { bearerAuth: true },
__binaryResponse: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get((0, path_1.path) `/videos/characters/${characterID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/videos/${videoID}/remix`, (0, uploads_1.maybeMultipartFormRequestOptions)({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/videos/${videoID}`, { ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/videos/${videoID}/content`, {
query,
...options,
headers: buildHeaders([{ Accept: 'application/binary' }, options?.headers]),
__security: { bearerAuth: true },
__binaryResponse: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path `/videos/characters/${characterID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/videos/${videoID}/remix`, maybeMultipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const url = new URL(AZURE_IMDS_BASE_URL);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const url = new URL(
`http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity`,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
endpoint = process.env['AZURE_OPENAI_ENDPOINT'];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return this._client.get(path`/organization/admin_api_keys/${keyID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/organization/certificates/${certificateID}`, {
query,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/certificates/${certificateID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/organization/groups/${groupID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/groups/${groupID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/groups/${groupID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/organization/groups/${group_id}/roles/${roleID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/groups/${groupID}/users`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/organization/groups/${group_id}/users/${userID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/organization/invites/${inviteID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/organization/projects/${project_id}/api_keys/${apiKeyID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/organization/projects/${projectID}/data_retention`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/projects/${projectID}/data_retention`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/projects/${projectID}/groups`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/organization/projects/${project_id}/groups/${groupID}`, {
query,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/projects/${project_id}/groups/${groupID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/projects/${project_id}/groups/${group_id}/roles/${roleID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/organization/projects/${projectID}/hosted_tool_permissions`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/projects/${projectID}/hosted_tool_permissions`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/organization/projects/${projectID}/model_permissions`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/projects/${projectID}/model_permissions`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/organization/projects/${projectID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/projects/${projectID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/projects/${projectID}/archive`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/projects/${project_id}/rate_limits/${rateLimitID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/projects/${projectID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/projects/${project_id}/roles/${roleID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/projects/${project_id}/roles/${roleID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
path`/organization/projects/${project_id}/service_accounts/${serviceAccountID}/api_keys`,
{ body, ...options, __security: { adminAPIKeyAuth: true } },
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/projects/${projectID}/service_accounts`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/organization/projects/${project_id}/service_accounts/${serviceAccountID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
path`/organization/projects/${project_id}/service_accounts/${serviceAccountID}`,
{ body, ...options, __security: { adminAPIKeyAuth: true } },
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/projects/${projectID}/spend_alerts`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/organization/projects/${project_id}/spend_alerts/${alertID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/projects/${project_id}/spend_alerts/${alertID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/projects/${project_id}/users/${userID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/projects/${project_id}/users/${user_id}/roles/${roleID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/projects/${projectID}/users`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/organization/projects/${project_id}/users/${userID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/projects/${project_id}/users/${userID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/organization/roles/${roleID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/roles/${roleID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/organization/spend_alerts/${alertID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/spend_alerts/${alertID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/users/${userID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/organization/users/${user_id}/roles/${roleID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/organization/users/${userID}`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/users/${userID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/batches/${batchID}`, { ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/batches/${batchID}/cancel`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/assistants/${assistantID}`, {
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/assistants/${assistantID}`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/chatkit/sessions/${sessionID}/cancel`, {
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'chatkit_beta=v1' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/chatkit/threads/${threadID}`, {
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'chatkit_beta=v1' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/responses/${responseID}?beta=true`, {
query,
...options,
headers: buildHeaders([
{ ...(betas?.toString() != null ? { 'openai-beta': betas?.toString() } : undefined) },
options?.headers,
]),
stream: params?.stream ?? false,
__security: { bearerAuth: true },
}) as APIPromise<BetaResponse> | APIPromise<Stream<BetaResponseStreamEvent>>;
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/responses/${responseID}/cancel?beta=true`, {
...options,
headers: buildHeaders([
{ ...(betas?.toString() != null ? { 'openai-beta': betas?.toString() } : undefined) },
options?.headers,
]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/threads/${threadID}/messages`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/threads/${thread_id}/messages/${messageID}`, {
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/threads/${thread_id}/messages/${messageID}`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/threads/${threadID}/runs`, {
query: { include },
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
stream: params.stream ?? false,
__synthesizeEventData: true,
__security: { bearerAuth: true },
}) as APIPromise<Run> | APIPromise<Stream<AssistantsAPI.AssistantStreamEvent>>;
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/threads/${thread_id}/runs/${runID}`, {
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/threads/${thread_id}/runs/${runID}`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/threads/${thread_id}/runs/${runID}/cancel`, {
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/threads/${thread_id}/runs/${runID}/submit_tool_outputs`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
stream: params.stream ?? false,
__synthesizeEventData: true,
__security: { bearerAuth: true },
}) as APIPromise<Run> | APIPromise<Stream<AssistantsAPI.AssistantStreamEvent>>;
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/threads/${thread_id}/runs/${run_id}/steps/${stepID}`, {
query,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/threads/${threadID}`, {
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/threads/${threadID}`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/chat/completions/${completionID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/chat/completions/${completionID}`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/containers/${containerID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/containers/${container_id}/files/${fileID}/content`, {
...options,
headers: buildHeaders([{ Accept: 'application/binary' }, options?.headers]),
__security: { bearerAuth: true },
__binaryResponse: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
path`/containers/${containerID}/files`,
maybeMultipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client),
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/containers/${container_id}/files/${fileID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/conversations/${conversationID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/conversations/${conversationID}`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/conversations/${conversationID}/items`, {
query: { include },
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/conversations/${conversation_id}/items/${itemID}`, {
query,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/evals/${evalID}`, { ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/evals/${evalID}`, { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/evals/${eval_id}/runs/${run_id}/output_items/${outputItemID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/evals/${evalID}/runs`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/evals/${eval_id}/runs/${runID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/evals/${eval_id}/runs/${runID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/files/${fileID}`, { ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/files/${fileID}/content`, {
...options,
headers: buildHeaders([{ Accept: 'application/binary' }, options?.headers]),
__security: { bearerAuth: true },
__binaryResponse: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/fine_tuning/checkpoints/${fineTunedModelCheckpoint}/permissions`, {
query,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/fine_tuning/jobs/${fineTuningJobID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/fine_tuning/jobs/${fineTuningJobID}/cancel`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/fine_tuning/jobs/${fineTuningJobID}/pause`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/fine_tuning/jobs/${fineTuningJobID}/resume`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/models/${model}`, { ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/realtime/calls/${callID}/accept`, {
body,
...options,
headers: buildHeaders([{ Accept: '*/*' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/realtime/calls/${callID}/hangup`, {
...options,
headers: buildHeaders([{ Accept: '*/*' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/realtime/calls/${callID}/refer`, {
body,
...options,
headers: buildHeaders([{ Accept: '*/*' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/realtime/calls/${callID}/reject`, {
body,
...options,
headers: buildHeaders([{ Accept: '*/*' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
this._client.get(path`/responses/${responseID}`, {
query,
...options,
stream: query?.stream ?? false,
__security: { bearerAuth: true },
}) as APIPromise<Response> | APIPromise<Stream<ResponseStreamEvent>>
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/responses/${responseID}/cancel`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/skills/${skillID}/content`, {
...options,
headers: buildHeaders([{ Accept: 'application/binary' }, options?.headers]),
__security: { bearerAuth: true },
__binaryResponse: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/skills/${skillID}`, { ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/skills/${skillID}`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/skills/${skill_id}/versions/${version}/content`, {
...options,
headers: buildHeaders([{ Accept: 'application/binary' }, options?.headers]),
__security: { bearerAuth: true },
__binaryResponse: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
path`/skills/${skillID}/versions`,
maybeMultipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client),
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/skills/${skill_id}/versions/${version}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
path`/uploads/${uploadID}/parts`,
multipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client),
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/uploads/${uploadID}/cancel`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/uploads/${uploadID}/complete`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/vector_stores/${vectorStoreID}/file_batches`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/vector_stores/${vector_store_id}/file_batches/${batchID}`, {
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/vector_stores/${vector_store_id}/file_batches/${batchID}/cancel`, {
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/vector_stores/${vectorStoreID}/files`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/vector_stores/${vector_store_id}/files/${fileID}`, {
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/vector_stores/${vector_store_id}/files/${fileID}`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/vector_stores/${vectorStoreID}`, {
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/vector_stores/${vectorStoreID}`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/videos/${videoID}`, { ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/videos/${videoID}/content`, {
query,
...options,
headers: buildHeaders([{ Accept: 'application/binary' }, options?.headers]),
__security: { bearerAuth: true },
__binaryResponse: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.get(path`/videos/characters/${characterID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
path`/videos/${videoID}/remix`,
maybeMultipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client),
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
ai
npm dependency const response = await fetch(this.api.token, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ sessionConfig: this.sessionConfig }),
});
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
expand_more 4 low-confidence finding(s)
const response = await fetch(this.api.token, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ sessionConfig: this.sessionConfig }),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await fetch(api, {
method: 'POST',
body: JSON.stringify({
prompt,
...body,
}),
credentials,
headers: withUserAgentSuffix(
{
'Content-Type': 'application/json',
...headers,
},
`ai-sdk/${VERSION}`,
getRuntimeEnvironmentUserAgent(),
),
signal: abortController.signal,
}).catch(err => {
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await fetch(api, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
...headers,
},
body: JSON.stringify(body),
credentials,
signal: abortSignal,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await fetch(api, {
method: 'GET',
headers,
credentials,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
@apidevtools/json-schema-ref-parser
npm dependencyexpand_more 2 low-confidence finding(s)
return await fs.promises.readFile(path);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await fetch(u, {
method: "GET",
headers: httpOptions.headers || {},
credentials: httpOptions.withCredentials ? "include" : "same-origin",
redirect: "manual",
signal: controller ? controller.signal : null,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
@hookform/resolvers
npm dependencyexpand_more 1 low-confidence finding(s)
if (schemaOptions?.context && process.env.NODE_ENV === 'development') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
@radix-ui/react-avatar
npm dependencyexpand_more 2 low-confidence finding(s)
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
@radix-ui/react-context-menu
npm dependencyexpand_more 1 low-confidence finding(s)
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
@supabase/ssr
npm dependencyexpand_more 1 low-confidence finding(s)
const packageName = process.env.npm_package_name;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
@supabase/supabase-js
npm dependencyexpand_more 2 low-confidence finding(s)
return (...args: Parameters<Fetch>) => fetch(...args)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return fetch(input, { ...init, headers })
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
@vercel/edge-config
npm dependencyexpand_more 13 low-confidence finding(s)
if (typeof process !== 'undefined' && process.env.VERCEL_ENV)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
headers['x-edge-config-vercel-env'] = process.env.VERCEL_ENV;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_ENV === 'development' &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.EDGE_CONFIG_DISABLE_DEVELOPMENT_SWR !== '1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (!process.env.AWS_LAMBDA_FUNCTION_NAME) return null;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (typeof process !== 'undefined' && process.env.VERCEL_ENV)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
headersRecord['x-edge-config-vercel-env'] = process.env.VERCEL_ENV;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return fetch(`${baseUrl}/item/${key}?version=${version}`, {
method: 'HEAD',
headers,
cache: fetchCache,
}).then((res) => {
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
defaultEdgeConfigClient = createClient(process.env.EDGE_CONFIG);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return defaultEdgeConfigClient.get(...args);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const res: ResponseWithCachedResponse = await fetch(url, {
...customOptions,
headers,
}).then(
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const res = await fetch(url, options);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
process.env.EDGE_CONFIG_TRACE_VERBOSE === 'true' ||
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
@xenova/transformers
npm dependencyexpand_more 9 low-confidence finding(s)
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await (await fetch(speaker_embeddings)).arrayBuffer()
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const data = await fs.promises.readFile(this.filePath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const data = await fs.promises.readFile(this.filePath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const data = await fs.promises.readFile(this.filePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return fetch(urlOrPath, { headers });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return fetch(urlOrPath);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
await fs.promises.writeFile(outputPath, buffer);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
class-variance-authority
npm dependencyexpand_more 3 low-confidence finding(s)
branch: process.env.NEXT_PUBLIC_VERCEL_GIT_COMMIT_REF || "main",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NEXT_PUBLIC_VERCEL_GIT_REPO_OWNER || "joe-bell",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NEXT_PUBLIC_VERCEL_GIT_REPO_SLUG || "cva",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
d3-dsv
npm dependencyexpand_more 12 low-confidence finding(s)
import {readFileSync} from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
.version(JSON.parse(readFileSync(resolve(dirname(fileURLToPath(import.meta.url)), "../package.json"))).version)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
rw.dash.readFile(program.args[0] || "-", (error, text) => {
if (error) throw error;
rw.dash.writeFile("-", iconv.encode(outFormat.format(inFormat.parse(iconv.decode(text, options.inputEncoding))) + EOL, options.outputEncoding), (error) => {
if (error) throw error;
});
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
rw.dash.writeFile("-", iconv.encode(outFormat.format(inFormat.parse(iconv.decode(text, options.inputEncoding))) + EOL, options.outputEncoding), (error) => {
if (error) throw error;
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import {readFileSync} from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
.version(JSON.parse(readFileSync(resolve(dirname(fileURLToPath(import.meta.url)), "../package.json"))).version)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
rw.dash.readFile(program.args[0] || "-", (error, text) => {
if (error) throw error;
const rowConverter = options.autoType ? dsv.autoType : null
const rows = inFormat.parse(iconv.decode(text, options.inputEncoding), rowConverter);
rw.dash.writeFile(options.out, iconv.encode(options.newlineDelimited
? rows.map((row) => JSON.stringify(row)).join("\n") + "\n"
: JSON.stringify(rows) + EOL, options.outputEncoding), (error) => {
if (error) throw error;
});
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
rw.dash.writeFile(options.out, iconv.encode(options.newlineDelimited
? rows.map((row) => JSON.stringify(row)).join("\n") + "\n"
: JSON.stringify(rows) + EOL, options.outputEncoding), (error) => {
if (error) throw error;
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import {readFileSync} from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
.version(JSON.parse(readFileSync(resolve(dirname(fileURLToPath(import.meta.url)), "../package.json"))).version)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
rw.dash.readFile(program.args[0] || "-", (error, text) => {
if (error) throw error;
text = iconv.decode(text, options.inputEncoding);
rw.dash.writeFile(options.out, iconv.encode(outFormat.format(options.newlineDelimited
? text.trim().split(/\r?\n/g).map((line) => JSON.parse(line))
: JSON.parse(text)) + EOL, options.outputEncoding), (error) => {
if (error) throw error;
});
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
rw.dash.writeFile(options.out, iconv.encode(outFormat.format(options.newlineDelimited
? text.trim().split(/\r?\n/g).map((line) => JSON.parse(line))
: JSON.parse(text)) + EOL, options.outputEncoding), (error) => {
if (error) throw error;
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
gpt-tokenizer
npm dependencyexpand_more 24 low-confidence finding(s)
const fs_1 = __importDefault(require("fs"));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const testPlanData = fs_1.default.readFileSync(testPlanPath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const testPlanData = fs.readFileSync(testPlanPath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const template = await fs.readFile(path.join(__dirname, '../encoding/cl100k_base.ts'), 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(__dirname, `../model/${modelName}.ts`), content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(__dirname, '../modelsChatEnabled.gen.ts'), tsFileContent);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const DEBUG = process.env.DEBUG === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const bpeFile = await fs.readFile(filePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(__dirname, `../bpeRanks/${modelName}.js`), `${preamble}
${jsCodeConstsForEachChunk.join('\n')}
/** @type {(string | number[])[]} */
const bpe = ${jsCodeBpeArray};
${jsCodeToResetHelperArrays.join('\n')}
export default bpe;`);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const testPlanData = fs.readFileSync(testPlanPath, 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs/promises'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const template = await fs.readFile(
path.join(__dirname, '../encoding/cl100k_base.ts'),
'utf8',
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
path.join(__dirname, `../model/${modelName}.ts`),
content,
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs/promises'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
path.join(__dirname, '../modelsChatEnabled.gen.ts'),
tsFileContent,
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs/promises'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const DEBUG = process.env.DEBUG === 'true'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const bpeFile = await fs.readFile(filePath, 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
path.join(__dirname, `../bpeRanks/${modelName}.js`),
`${preamble}
${jsCodeConstsForEachChunk.join('\n')}
/** @type {(string | number[])[]} */
const bpe = ${jsCodeBpeArray};
${jsCodeToResetHelperArrays.join('\n')}
export default bpe;`,
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
i18next-resources-to-backend
npm dependencyexpand_more 2 low-confidence finding(s)
import { readFileSync } from 'fs'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const pkg = JSON.parse(readFileSync(new URL('package.json', import.meta.url)))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
mammoth
npm dependencyexpand_more 3 low-confidence finding(s)
var fs = require("fs");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
var fs = require("fs");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
var fs = require("fs");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
next-pwa
npm dependencyexpand_more 18 low-confidence finding(s)
const fs = require('fs')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.__PWA_FALLBACK_DOCUMENT__)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return caches.match(process.env.__PWA_FALLBACK_DOCUMENT__, { ignoreSearch: true })
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.__PWA_FALLBACK_IMAGE__)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return caches.match(process.env.__PWA_FALLBACK_IMAGE__, { ignoreSearch: true })
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.__PWA_FALLBACK_AUDIO__)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return caches.match(process.env.__PWA_FALLBACK_AUDIO__, { ignoreSearch: true })
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.__PWA_FALLBACK_VIDEO__)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return caches.match(process.env.__PWA_FALLBACK_VIDEO__, { ignoreSearch: true })
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.__PWA_FALLBACK_FONT__)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return caches.match(process.env.__PWA_FALLBACK_FONT__, { ignoreSearch: true })
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.__PWA_FALLBACK_DATA__ && request.url.match(/\/_next\/data\/.+\/.+\.json$/i))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return caches.match(process.env.__PWA_FALLBACK_DATA__, { ignoreSearch: true })
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const getRevision = file => crypto.createHash('md5').update(fs.readFileSync(file)).digest('hex')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await fetch(__PWA_START_URL__)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return fetch(__PWA_START_URL__).then(function (response) {
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
next-themes
npm dependencyexpand_more 4 low-confidence finding(s)
forbidOnly: !!process.env.CI,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
retries: process.env.CI ? 2 : 0,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
reporter: process.env.CI ? 'github' : 'list',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
reuseExistingServer: !process.env.CI,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
pdf-parse
npm dependencyexpand_more 9 low-confidence finding(s)
const pkg = JSON.parse(await readFile(new URL('../package.json', import.meta.url)));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const data = await readFile(filePath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(options.output, output);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(options.output, output);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(options.output, output);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(filepath, image.data);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(filepath, page.data);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(dummyFile, 'dummy content');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(dummyFile, 'dummy content');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
react
npm dependencyexpand_more 14 low-confidence finding(s)
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
react-dom
npm dependencyexpand_more 24 low-confidence finding(s)
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
react-hook-form
npm dependencyexpand_more 12 low-confidence finding(s)
retries: process.env.CI ? 2 : 0,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
reporter: process.env.CI ? [['github'], ['html', { open: 'never' }]] : 'list',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
reuseExistingServer: !process.env.CI,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const report = fs.readFileSync(config.reportFilePath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { copyFileSync, existsSync, mkdirSync, unlinkSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const testEnv = process.env.TEST_ENV;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFileSync(
require('path').resolve(__dirname, './all-exports.json'),
'utf-8',
),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFileSync(path.resolve(__dirname, './all-exports.json'), 'utf-8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await fetch(String(action), {
method,
headers: {
...headers,
...(encType && encType !== 'multipart/form-data'
? { 'Content-Type': encType }
: {}),
},
body: shouldStringifySubmissionData ? formDataJson : formData,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
react-i18next
npm dependencyexpand_more 1 low-confidence finding(s)
inDevelopment = process.env.NODE_ENV !== 'production';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
react-syntax-highlighter
npm dependencyexpand_more 24 low-confidence finding(s)
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFile(
path.join(__dirname, `../src/async-languages/hljs.js`),
lines.join('\n'),
err => {
if (err) {
throw err;
}
}
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFile(
path.join(__dirname, `../src/languages/hljs/supported-languages.js`),
lines.join(''),
err => {
if (err) {
throw err;
}
}
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFile(
path.join(__dirname, `../src/languages/hljs/${file}`),
lines.join(';\n'),
err => {
if (err) {
throw err;
}
}
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFile(
path.join(__dirname, '../AVAILABLE_LANGUAGES_HLJS.MD'),
languageMD,
err => {
if (err) {
throw err;
}
}
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFile(
path.join(__dirname, '../src/languages/hljs/index.js'),
defaultExports.join(''),
err => {
if (err) {
throw err;
}
}
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFile(
path.join(__dirname, `../src/languages/prism/${file}`),
lines.join(';\n'),
err => {
if (err) {
process.exit(1);
}
}
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFile(
path.join(__dirname, `../src/languages/prism/supported-languages.js`),
lines.join(''),
err => {
if (err) {
throw err;
}
}
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFile(
path.join(__dirname, `../src/async-languages/prism.js`),
lines.join('\n'),
err => {
if (err) {
throw err;
}
}
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFile(
path.join(__dirname, '../AVAILABLE_LANGUAGES_PRISM.MD'),
languageMD,
err => {
if (err) {
process.exit(1);
}
}
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFile(
path.join(__dirname, '../src/languages/prism/index.js'),
defaultExports.join(''),
err => {
if (err) {
process.exit(1);
}
}
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFile(
path.join(__dirname, '../AVAILABLE_STYLES_HLJS.MD'),
styleMD,
err => {
if (err) {
throw err;
}
}
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFile(
path.join(__dirname, '../src/styles/hljs/index.js'),
defaultExports.join(''),
err => {
if (err) {
throw err;
}
}
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFile(
path.join(__dirname, '../demo/styles/hljs.js'),
demoStylesArray,
err => {
if (err) {
throw err;
}
}
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFile(
path.join(__dirname, `../node_modules/highlight.js/styles/${file}`),
'utf-8',
(err, data) => {
if (err) {
throw err;
}
const javacriptStylesheet = css
.parse(data)
.stylesheet.rules.reduce((sheet, rule) => {
if (rule.type === 'rule') {
const style = rule.selectors.reduce((selectors, selector) => {
if (!selector.includes(ignoreStyleWithThis)) {
const selectorObject = rule.declarations.reduce(
(declarations, declaration) => {
if (
declaration.type === 'declaration' &&
declaration.property
) {
declarations[camel(declaration.property)] =
declaration.value;
}
return declarations;
},
{}
);
selectors[selector.substring(1)] = selectorObject;
}
return selectors;
}, {});
sheet = Object.keys(style).reduce((stylesheet, selector) => {
if (stylesheet[selector]) {
stylesheet[selector] = Object.assign(
{},
stylesheet[selector],
style[selector]
);
} else {
stylesheet[selector] = style[selector];
}
return stylesheet;
}, sheet);
}
return sheet;
}, {});
fs.writeFile(
path.join(__dirname, `../src/styles/hljs/${fileWithoutCSS}.js`),
`export default ${JSON.stringify(javacriptStylesheet, null, 4)}`,
err => {
if (err) {
throw err;
}
}
);
}
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFile(
path.join(__dirname, `../src/styles/hljs/${fileWithoutCSS}.js`),
`export default ${JSON.stringify(javacriptStylesheet, null, 4)}`,
err => {
if (err) {
throw err;
}
}
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFile(
path.join(__dirname, '../AVAILABLE_STYLES_PRISM.MD'),
styleMD,
() => {}
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFile(
path.join(__dirname, '../src/styles/prism/index.js'),
defaultExports.join(''),
() => {}
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFile(
path.join(__dirname, '../demo/styles/prism.js'),
demoStylesArray,
err => {
if (err) {
throw err;
}
}
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFile(
path.join(__dirname, `${directory}/${file}`),
'utf-8',
(err, data) => {
const javacriptStylesheet = css
.parse(data)
.stylesheet.rules.reduce((sheet, rule) => {
if (rule.type === 'rule') {
const style = rule.selectors.reduce((selectors, selector) => {
const selectorObject = rule.declarations.reduce(
(declarations, declaration) => {
if (
declaration.type === 'declaration' &&
declaration.property
) {
const camelCaseDeclarationProp = camel(
declaration.property
);
const key =
camelCaseDeclarationProp.includes('moz') ||
camelCaseDeclarationProp.includes('webkit') ||
(camelCaseDeclarationProp[0] === 'o' &&
!camelCaseDeclarationProp.includes('overflow'))
? `${camelCaseDeclarationProp
.substring(0, 1)
.toUpperCase()}${camelCaseDeclarationProp.substring(
1
)}`
: camelCaseDeclarationProp;
declarations[key] = declaration.value;
}
return declarations;
},
{}
);
if (selector.substring(0, 6) === '.token') {
selector = selector.substring(7);
// Regex to fix Prism theme selectors
// - Remove further `.token` classes
// - Remove the space (descendant combinator)
// to allow for styling multiple classes
// Ref: https://github.com/react-syntax-highlighter/react-syntax-highlighter/pull/305
selector = selector.replace(/(?<=\w) (\.token)?(?=\.)/g, '');
}
selectors[selector] = selectorObject;
return selectors;
}, {});
sheet = Object.keys(style).reduce((stylesheet, selector) => {
if (stylesheet[selector]) {
stylesheet[selector] = Object.assign(
{},
stylesheet[selector],
style[selector]
);
} else {
stylesheet[selector] = style[selector];
}
return stylesheet;
}, sheet);
}
return sheet;
}, {});
fs.writeFile(
path.join(__dirname, `../src/styles/prism/${fileWithoutCSS}.js`),
`export default ${JSON.stringify(javacriptStylesheet, null, 4)}`,
() => {}
);
}
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFile(
path.join(__dirname, `../src/styles/prism/${fileWithoutCSS}.js`),
`export default ${JSON.stringify(javacriptStylesheet, null, 4)}`,
() => {}
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
react-textarea-autosize
npm dependencyexpand_more 1 low-confidence finding(s)
const test = process.env.NODE_ENV === 'test';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
sonner
npm dependencyexpand_more 4 low-confidence finding(s)
forbidOnly: !!process.env.CI,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
retries: process.env.CI ? 2 : 0,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
workers: process.env.CI ? 1 : undefined,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
reuseExistingServer: !process.env.CI,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Skipped dependencies
Production
- next prod — tarball exceeds byte cap